Your message dated Sat, 29 Jun 2024 10:46:21 +0000 with message-id <e1snvb3-002bjk...@coccia.debian.org> and subject line Released with 12.6 has caused the Debian Bug report #1073202, regarding bookworm-pu: package python-aiosmtpd/1.4.3-1.1+deb12u1 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1073202: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073202 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: python-aiosm...@packages.debian.org, d...@dalerichards.net Control: affects -1 + src:python-aiosmtpd User: release.debian....@packages.debian.org Usertags: pu [ Reason ] This update resolves two security vulnerabilities present in the version of python-aiosmtpd in Bookworm (1.4.3-1.1): * CVE-2024-27305 - SMTP smuggling due to poor handling of non-standard line endings (Bug: #1066820) * CVE-2024-34083 - STARTTLS unencrypted command injection (Bug: #1072119) These have both been deemed unworthy of a DSA, but the Security Team have suggested we update this package for the next Bookworm point release. [ Impact ] Without this update, Debian 12 systems running aiosmtpd would remain vulnerable to the two CVEs listed above. [ Tests ] The upstream package includes a comprehensive suite of tests, all of which are passing with this new version. Additionally, I have installed the new package on a Bookworm test box and performed manual testing, confirming that the package's main functionality works and that the two vulnerabilties are correctly resolved. [ Risks ] The code changes are minor, and bring aiosmtpd into compliance with the relevant sections of RFC 3207[1] and RFC 5321[2]. The update can therefore be considered low risk, and will not cause an issue with any RFC-compliant SMTP client or MTA. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] * CVE-2024-27305 - Patch aiosmtpd/smtp.py to accept only <CRLF> as a line terminator, as mandated by RFC 5321[2]. This patch has been adapted from the fix committed upstream[3]. * CVE-2024-34083 - Patch aiosmtpd/smtp.py to discard any remaining unencrypted data in the input buffer upon completion of a STARTTLS handshake, as mandated by RFC 3207[1]. This patch has been adapted from the fix committed upstream[4]. [ Other info ] References: [1] https://datatracker.ietf.org/doc/html/rfc3207#page-7 [2] https://datatracker.ietf.org/doc/html/rfc5321#section-2.3.8 [3] https://github.com/aio- libs/aiosmtpd/commit/24b6c79c8921cf1800e27ca144f4f37023982bbb [4] https://github.com/aio- libs/aiosmtpd/commit/b3a4a2c6ecfd228856a20d637dc383541fcdbfdadiff -Nru python-aiosmtpd-1.4.3/debian/changelog python-aiosmtpd-1.4.3/debian/changelog --- python-aiosmtpd-1.4.3/debian/changelog 2023-05-25 15:09:53.000000000 +0100 +++ python-aiosmtpd-1.4.3/debian/changelog 2024-06-07 18:11:07.000000000 +0100 @@ -1,3 +1,13 @@ +python-aiosmtpd (1.4.3-1.1+deb12u1) bookworm; urgency=medium + + * Team upload. + * CVE-2024-27305 - SMTP smuggling due to poor handling of + non-standard line endings (Closes: #1066820) + * CVE-2024-34083 - STARTTLS unencrypted command injection + (Closes: #1072119) + + -- Dale Richards <d...@dalerichards.net> Fri, 07 Jun 2024 18:11:07 +0100 + python-aiosmtpd (1.4.3-1.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru python-aiosmtpd-1.4.3/debian/patches/0005-cve-2024-34083.patch python-aiosmtpd-1.4.3/debian/patches/0005-cve-2024-34083.patch --- python-aiosmtpd-1.4.3/debian/patches/0005-cve-2024-34083.patch 1970-01-01 01:00:00.000000000 +0100 +++ python-aiosmtpd-1.4.3/debian/patches/0005-cve-2024-34083.patch 2024-06-07 18:11:07.000000000 +0100 @@ -0,0 +1,19 @@ +Description: CVE-2024-34083 - STARTTLS unencrypted command injection +Author: Dale Richards <d...@dalerichards.net> +Origin: upstream, https://github.com/aio-libs/aiosmtpd/commit/b3a4a2c6ecfd228856a20d637dc383541fcdbfda +Bug: https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-wgjv-9j3q-jhg8 +Last-Update: 2024-06-07 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/aiosmtpd/smtp.py ++++ b/aiosmtpd/smtp.py +@@ -504,6 +504,9 @@ + self._reader._transport = transport + self._writer._transport = transport + self.transport = transport ++ # Discard any leftover unencrypted data ++ # See https://tools.ietf.org/html/rfc3207#page-7 ++ self._reader._buffer.clear() # type: ignore[attr-defined] + # Do SSL certificate checking as rfc3207 part 4.1 says. Why is + # _extra a protected attribute? + self.session.ssl = self._tls_protocol._extra diff -Nru python-aiosmtpd-1.4.3/debian/patches/0006-cve-2024-27305.patch python-aiosmtpd-1.4.3/debian/patches/0006-cve-2024-27305.patch --- python-aiosmtpd-1.4.3/debian/patches/0006-cve-2024-27305.patch 1970-01-01 01:00:00.000000000 +0100 +++ python-aiosmtpd-1.4.3/debian/patches/0006-cve-2024-27305.patch 2024-06-07 18:11:07.000000000 +0100 @@ -0,0 +1,51 @@ +Description: CVE-2024-27305 - SMTP smuggling + SMTP smuggling due to poor handling of + non-standard line endings +Author: Dale Richards <d...@dalerichards.net> +Origin: upstream, https://github.com/aio-libs/aiosmtpd/commit/24b6c79c8921cf1800e27ca144f4f37023982bbb +Bug: https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-pr2m-px7j-xg65 +Last-Update: 2024-06-07 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/aiosmtpd/smtp.py ++++ b/aiosmtpd/smtp.py +@@ -86,7 +86,7 @@ + EMPTY_BARR = bytearray() + EMPTYBYTES = b'' + MISSING = _Missing() +-NEWLINE = '\n' ++NEWLINE = '\r\n' + VALID_AUTHMECH = re.compile(r"[A-Z0-9_-]+\Z") + + # https://tools.ietf.org/html/rfc3207.html#page-3 +@@ -1375,9 +1375,10 @@ + # Since eof_received cancels this coroutine, + # readuntil() can never raise asyncio.IncompleteReadError. + try: +- line: bytes = await self._reader.readuntil() ++ # https://datatracker.ietf.org/doc/html/rfc5321#section-2.3.8 ++ line: bytes = await self._reader.readuntil(b'\r\n') + log.debug('DATA readline: %s', line) +- assert line.endswith(b'\n') ++ assert line.endswith(b'\r\n') + except asyncio.CancelledError: + # The connection got reset during the DATA command. + log.info('Connection lost during DATA') +@@ -1394,7 +1395,7 @@ + data *= 0 + # Drain the stream anyways + line = await self._reader.read(e.consumed) +- assert not line.endswith(b'\n') ++ assert not line.endswith(b'\r\n') + # A lone dot in a line signals the end of DATA. + if not line_fragments and line == b'.\r\n': + break +@@ -1406,7 +1407,7 @@ + # Discard data immediately to prevent memory pressure + data *= 0 + line_fragments.append(line) +- if line.endswith(b'\n'): ++ if line.endswith(b'\r\n'): + # Record data only if state is "NOMINAL" + if state == _DataState.NOMINAL: + line = EMPTY_BARR.join(line_fragments) diff -Nru python-aiosmtpd-1.4.3/debian/patches/series python-aiosmtpd-1.4.3/debian/patches/series --- python-aiosmtpd-1.4.3/debian/patches/series 2023-05-25 15:09:53.000000000 +0100 +++ python-aiosmtpd-1.4.3/debian/patches/series 2024-06-07 18:11:07.000000000 +0100 @@ -2,3 +2,5 @@ 0002-Drop-sphinx-autofixture-extension-requirement.patch 0003-Remove-imported-images-from-the-web-for-privacy.patch 0004-Replace-a-dynamic-date-in-copyright-by-a-static-one.patch +0005-cve-2024-34083.patch +0006-cve-2024-27305.patch
--- End Message ---
--- Begin Message ---Version: 12.6 The upload requested in this bug has been released as part of 12.6.
--- End Message ---
